Twitter’s pattern of making blunders and fixing them when enough damage has already been inflicted is continued. This year, another vulnerability was found in the databases of Twitter which caused potential privacy threats to private and pseudonymous accounts, putting their anonymity in jeopardy.
While the issues were in front of Twitter for a long time, Twitter just addressed them yesterday(06/08/22) in a concise article about the bug and claims that they have fixed the vulnerability.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account and, if so, which specific account.” The article stated.
At the start of this year, Twitter came to know about the bug, claiming that it was fixed there and then, and their June 2021 update probably caused it.
“At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Twitter claimed.
After six months of the bug being fixed, a report from a bounty bug researcher suggested that 5.4 million private and pseudonymous accounts were listed on a dark website and included “celebrities and companies.”
“We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” said Twitter.
Twitter ended the article acting like a big brother and advised people to enable a two-factor-authentication process to protect their accounts from future threats.
A similar bug appeared in 2020, where the direct message details were exposed instead of just the account owner’s identity. The people using Android IOS 8 and 9 were affected by this bug. Twitter claimed that they fixed the bug, and no proof of exploration of the information was found.